certification schemes for cloud computing -...
TRANSCRIPT
WE
CAN DO
SO MUCH
TOGETHER
Certification Schemes for Cloud Computing DSM Cloud Stakeholders kick off meeting
Leire Orue-Echevarria TECNALIA December 12th, 2017
SMART 2016 / 0029
01 Context
04 Scenarios 03 Security framework
Agenda
05 Next steps
02 Approach
01 Context and Motivation
What is limiting enterprises from using cloud computing services?
(*) Source: Eurostat, 2014
Factors limiting enterprises from using cloud computing services, by size class, EU-28, 2014 (*)
This can be extended to the Public Sector
01 Context and Motivation
Key indications to create new strategies and policies for the adoption of cloud computing (*) – Raise awareness and educate users and SMEs on cloud
security. – Improve the transparency of cloud services: continuous
monitoring mechanisms, accountability through, for example, certification and other mechanisms.
– Flexible policy approaches towards cloud security to allow further technological advancements.
– Data Protection, where and how they are stored, accessed, transferred and processed.
– Strengthen cooperation and define clear procurement guidelines built on cooperation between industry and public sector.
(*) Source: 2015 EU28 Cloud Security Conference
01 Context
Customers need to know and be assured that their data is equally safe no matter where they are located or who provides the service
– What security aspects need to be considered in cloud computing that ensure Free Flow of Data and cross-border?
– What regulation aspects need to be considered / addressed?
What should be the role of the EC?
01 Context
ISO/IEC 17203, ISO/IEC 17826:2012, ISO/IEC 19041, ISO/IEC 19044, ISO 19086, ISO/IEC 19099, ISO/IEC 19831, ISO 19941, ISO 19944, ISO/IEC 20000-1, ISO 22301,ISO/IEC 24760-1, Family of ISO/IEC 2700x, ISO/IEC 29100, ISO/IEC 29101, ISO/IEC 29115.
NIST SP 500-299, Draft NIST SP 500-307, NIST SP 800-125, NIST SP 800-144 NIST 800 - 53
CSA CCM, CSA Star, CSA PLA, CSA Attestation - OCF Level 2, CSA Attestation - OCF Level 1, CSA Self-Assessment - OCF Level 1
OASIS TOSCA, OASIS CAMP SNIA CDMI, DMTF DSP0243, DMTF DSP0263
ITU-T X.1601, ITU-T X.1631 AICPA SOC 1, AICPA SOC 2, AICPA SOC 3
Plethora of standards, schemes and other relevant frameworks
Others
01 Context
04 Scenarios 03 Security framework
Agenda
05 Next steps
02 Approach
02 Approach
Standards Frameworks
Schemes Public Initiatives
Private - Public Initiatives
Policy Market
Adoption Stakeholders
Analysis
02 Approach
Standards Frameworks
Schemes Public Initiatives
Private - Public Initiatives
Policy Market
Adoption Stakeholders
Analysis
02 Approach
Analysed 20+ security and cloud related schemes and compared them with ENISA CCSM
02 Approach
Not covered
Partially covered
Fully covered
Scheme 1 Scheme 2 Scheme 3 Scheme 4 Scheme 5 Scheme 6 Scheme 7 Scheme 8 Scheme 9
1. Information security policy
2. Risk management
3. Security roles
4. Security in Supplier relationships
5. Background checks
6. Security knowledge and training
7. Personnel changes
8. Physical and environmental security
9. Security of supporting util ities
10. Access control to network and information systems
11. Integrity of network and information systems
12. Operating procedures
13. Change management
14. Asset management
15. Security incident detection and response
16. Security incident reporting
17. Business continuity
18. Disaster recovery capabilities
19. Monitoring and logging policies
20. System tests
21. Security assessments
22. Checking compliance
23. Cloud data security
24. Cloud interface security
25. Cloud software security
26. Cloud interoperability and portability
27. Cloud monitoring and log access
Example of coverage summary
Available standards tackle many issues that require to go through different certification / attestation processes
The depth in which security aspects are covered varies depending on the standard
02 Approach
02 Approach
Standards Frameworks
Schemes Public Initiatives
Private - Public Initiatives
Policy Market
Adoption Stakeholders
Analysis
Analyzed strategies from the governments of Spain, Italy, Germany, France, Latvia
02 Approach
• 17 control areas
• Per each control: Objective, requirement (basic, additional)
• Attestation • No certificate, • Relies on int’l
standards • Cloud-specific
DE – C5 catalogue
IT - PM Decree 2013
• National ICT security certification scheme based on int’l standards,
• no cloud-specific
ES - ENS
• For eAdmin CSP / digital providers
• Dedicated regulation for cloud issues, providers or not of the eAdmin
• Systems have categories: low, medium, high • Low=self
assessment • Medium/high=
audit every 2 years
• Audit
FR - SecNumCloud
• Certification for CSPs • Based on ANSSI
recommendations and int’l standards
• 2 levels: basic and advanced (^)
• Label
(^) Requirements for ‘Advanced’ are as of 08.09.2017 not published
Different maturity levels of public sector initiatives in EU28
Different approaches: from market driven to highly regulated scenarios
Different levels of granularity
Harmonisation at EU level is considered necessary
02 Approach
02 Approach
Standards Frameworks
Schemes Public Initiatives
Private - Public Initiatives
Policy Market
Adoption Stakeholders
Analysis
Analyzed (cross-border) public-private initiatives: Trusted Cloud, Label Cloud, ESCloud, Zeker Online
02 Approach
Trusted Cloud Label Cloud ESCloud
• German initiative, now onto FR and NL
• Non-profit association
• For SMEs, both CSPs and cloud users
• Own criteria catalogue
• Legally bound self-assessment
• Initiative by France IT • For SMEs • 3 layers (IaaS, PaaS, SaaS) • 3 levels: initial,
confirmed, expert • Based on NIST and ITIL • Label for 2 (initial), 3
(confirmed), 4 (expert) years
• Continuous improvement, so recertification obliges to obtain better results than the previous time
• Collaboration of France and Germany
• Label • 15 core
principles • No mutual
recognition between SecNumCloud and C5
Zeker Online
• 2 pillars: legal and infrastructure
• covers the whole service stack
• Based on standards
• Audit
Cross-border efforts are commendable
However, mutual recognition is still not sufficiently addressed
Duplication of efforts?
02 Approach
02 Approach
Standards Frameworks
Schemes Public Initiatives
Private - Public Initiatives
Policy Market
Adoption Stakeholders
Analysis
Survey: 28.09.2017 – 15.11.2017
Reopened and accessible through: http://tinyurl.com/cloudcertification
494 respondents but only 200 answers were 100% complete, which have been retained for analysis
02 Approach
02 Approach
Austria ; 4,17%
Belgium ; 8,33% Bulgaria ; 0,69%
Croatia ; 1,39%
Cyprus ; 0,69%
Czech Republic ; 0,00%
Denmark ; 1,39%
Estonia ; 1,39%
Finland ; 1,39%
France ; 10,42% Germany ; 18,75% Greece ; 2,08%
Hungary ; 0,00%
Ireland ; 1,39%
Italy ; 6,25% Latvia ; 2,08%
Lithuania ; 0,00%
Luxembourg ; 0,69%
Malta ; 0,00%
Netherlands ; 9,03%
Poland ; 0,69%
Portugal ; 0,69%
Romania ; 1,39%
Slovak Republic ; 2,08% Slovenia ; 1,39%
Spain ; 8,33%
Sweden ; 1,39%
United Kingdom ;
5,56%
Other ; 8,33%
Country
Switzerland, US, Chile, South Korea and Israel
02 Approach
Cloud Service Provider ;
34,72%
Cloud Service Consumer ;
40,28%
Public Authority ;
8,33%
Certification authority ;
11,11%
Standardization body ; 5,56%
A certification scheme would increase the adoption of cloud computing (79,2% of the respondents)
56,94% believe that there should be one certification scheme per service layer
56,94% are aware of initiatives being ISO27001, C5, CSA Star, LEET security, Trusted Cloud, SecNumCloud the most named ones.
59% are aware of cross-border initiatives as well as good practices in cloud security
45% are aware of policy initiatives on cloud
02 Approach Conclusions from the survey
02 Approach Conclusions from the survey
6,25%
10,42%
26,39%
32,64%
16,67%
7,64%
0,00% 5,00% 10,00% 15,00% 20,00% 25,00% 30,00% 35,00%
Self-regulatory industry initiatives
Foster mutual recognition of existing nationalinitiatives
Create a European – wide certification framework
None of the others
Actions to reduce fragmentation
Provider of a certification scheme should be either an independent standardization body or an accredited institution (27.78% vs. 26.39%)
Jurisdiction of the certification should be at EU-level
02 Approach Conclusions from the survey
02 Approach Conclusions from the survey
02 Approach Conclusions from the survey
02 Approach Conclusions from the survey Lack of mutual recognition of
certificates across Member States ;
16,38%
Too expensive to obtain the
certification as well as to
maintain it; 11,21%
Few economic benefits ; 18,10%
Certification process is too long ; 12,07%
Certification process is not transparent ;
6,90%
Lack of a dedicated
certification schemes for cloud security ; 12,07%
Diversity of processes /
schemes depending on the
countries or sectors where the service is offered ;
15,52%
Other; 7,76%
Problems faced when dealing with a certification
Cost to obtain and maintain a certification is reported to be between 10,000 € – 100,000 €
Recertification / renewal is mostly 1-3 years
Certification is thought to prevent security incidents, which have occurred to 30% of the respondents with an economic impact of less than 100,000€, although most respondents have not quantified it
Current fragmentation is a barrier to get a certification (65%)
02 Approach Conclusions from the survey
The public sector and the EC should:
– Lead and contribute to the definition of a security certification scheme, reusing and harmonizing existing initiatives
– Set standards and applicable legislation
– Be a Promoter and Influencer
CSP Procurers of the public sector should be certified (92%)
02 Approach Conclusions from the survey
02 Approach
Standards Frameworks
Schemes Public Initiatives
Private - Public Initiatives
Policy Market
Adoption Stakeholders
Analysis
Compliance / accreditations by the Top 50 CSPs (XaaS)
02 Approach Market adoption
Compliance with Member States’ requirements
02 Approach Market adoption
Adoption of ISO 27001 (*)
02 Approach
(*) source: http://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objAction=browse&viewType=1
Market adoption
Market adoption
Adoption of ISO 27001 (*)
02 Approach
(*) source: http://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objAction=browse&viewType=1
02 Approach
Standards Frameworks
Schemes Public Initiatives
Private - Public Initiatives
Policy Market
Adoption Stakeholders
Analysis
EC Communication (2012)
02 Approach
“cut through the jungle of standards”
#DigitalSingleMarket
#EUdataFF
Cross-border services
eGov Action Plan
ENISA CCSL and CCSM (2013)
Cloud Standardization Initiative – ETSI
(Phase I and Phase II)
DSM Cloud Stake-
holders
ECP
C-SIG
Regulation
GDPR
Policy
NIS
Digitising the European Industry
ePrivacy
02 Approach Policy
As regards to the Data Economy and the free flow of Data, relevant advances have been made, but still additional harmonized effort is needed to reach the DSM and address existing barriers to the free flow of data across borders and sectors.
There is a need for more coordinated efforts in order to launch a new harmonized regulation, regulating aspects such as for instance how to classify and certify providers of digital services or how to ensure that the free flow of data is possible.
01 Context
04 Scenarios 03 Security framework
Agenda
05 Next steps
02 Approach
03 Security Framework
Determine (cloud) security controls and
categories
Match existing standards / schemes with these controls
ISO 27002, C5, CSA CCM, NIST 800-53,
ENISA CCSM
Gap Analysis (as-is vs. should)
Recommendations
Process followed
03 Security Framework
19 categories defined (1/2)
EC-CLOUD CATEGORIES
1. Information Security Policies 2. Personnel & Training
3. Asset Management 4. Identity & Access
Management
5. Cryptography & Key management
6. Physical Infrastructure Security
7. Operation Security 8. Communications Security
9. Procurement Management 10. Incident Management
Process followed
03 Security Framework
19 categories defined (1/2)
EC-CLOUD CATEGORIES
11. Business Continuity 12. Disaster Recovery
13. Compliance 14. Security Assessment
15. Device Management 16. Interoperability &
Portability
17. System Security & Integrity 18. Change & Configuration
Management
19. Risk / Threat / Vulnerability Management
Process followed
03 Security Framework
Certification schemes cover different aspects with different levels of granularity and requirements
A harmonized certification scheme would increase trust in CSPs
Initial findings
01 Context
04 Scenarios 03 Security framework
Agenda
05 Next steps
02 Approach
04 Scenarios
Scenario 1
Market Driven
Scenario 2
Best Practices
Scenario 4
Certification Framework
Scenario 3
EU Common Legal
Framework
Scenario 5
Common Highly Regulated
Framework
Legal Requirements
Technical Requirements
1. Mutual recognition
2. Promotion of an existing initiative to EU level
3. From scratch
04 Scenarios
For each scenario, we have identified: – Pros
– Cons
– Best practices
– Agents involved
– Additional content required
Next, identify: – Impact: regulatory, social, economic
– Governance model
– Include the gatherings from the security framework
01 Context
04 Scenarios 03 Security framework
Agenda
05 Next steps
02 Approach
Gather more evidence from stakeholders
Finish the development of the security framework
Identify the impact (regulatory, social, economic) of each of the identified scenarios at EU-level
State recommendations and potential roadmap
05 Next steps
Visita nuestro blog:
http://blogs.tecnalia.com/inspiring-blog/
www.tecnalia.com
Leire Orue-Echevarria Arrieta, MBA, PhD División ICT / ICT Division IT Competitiveness [email protected] C/ Geldo. Parque Tecnológico de Bizkaia, Edificio 700 E-48160 Derio - Bizkaia (Spain) Tel: 902 760 000 *. Tel: +34 946 430 850 (International Calls). Mob: +34 664 103 005